b"                            OFFICE OF\n                     THE INSPECTOR GENERAL\n\n\n                         U.S. NUCLEAR\n                    REGULATORY COMMISSION\n\n\n                        Audit of NRC\xe2\x80\x99s Protection of\n                          Safeguards Information\n\n\n                      OIG-04-A-04        January 8, 2004\n\n\n\n\n                       AUDIT REPORT\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                               NRC\xe2\x80\x99s website at:\n             http://www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                         January 8, 2004\n\n\n\n\nMEMORANDUM TO:                William D. Travers\n                              Executive Director for Operations\n\n\n\nFROM:                         Stephen D. Dingbaum/RA/\n                              Assistant Inspector General for Audits\n\n\nSUBJECT:                      AUDIT OF NRC\xe2\x80\x99s PROTECTION OF SAFEGUARDS\n                              INFORMATION (OIG-04-A-04)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s audit report titled, Audit of NRC\xe2\x80\x99s Protection of\nSafeguards Information.\n\nThe report reflects the results of our audit to assess the U.S. Nuclear Regulatory Commission\xe2\x80\x99s\n(NRC) process for protecting safeguards information (SGI). Overall, we found that NRC\xe2\x80\x99s use\nof SGI contains similarities to the Government-wide program to protect confidential information.\nIn light of the events of September 11, 2001, and a subsequent Executive Order redefining\nconfidential information, NRC should determine whether the SGI designation is still justified.\n\nNRC also needs to take strong action to limit inappropriate releases. Specifically, the agency\nneeds clear guidance on what constitutes SGI information and a central program authority to\nmaintain a sound and effective SGI program. The report also identifies concerns with the\nsecure telecommunications network that is used to transmit SGI information. Until the SGI\nprogram is strengthened, the likelihood of releasing SGI to unauthorized individuals will remain\nhigh.\n\nComments provided at the September 9, 2003, exit conference, during subsequent discussions,\nand in a December 12, 2003, written response to the draft report have been incorporated, as\nappropriate, in our final report. Appendix B contains the written response in its entirety.\nAppendix C contains our point-by-point analysis of the agency\xe2\x80\x99s formal comments.\n\nIf you have any questions, please call Russ Irish at 415-5972 or me at 415-5915.\n\nAttachment: As stated\n\ncc:     W. Dean, OEDO\n\x0cR. McOsker, OCM/RAM\nB. Torres, ACMUI\nB.J. Garrick, ACNW\nM. Bonaca, ACRS\nJ. Larkins, ACRS/ACNW\nP. Bollwerk III, ASLBP\nK. Cyr, OGC\nJ. Cordes, OCAA\nE. Merschoff, CIO\nJ. Funches, CFO\nP. Rabideau, Deputy CFO\nJ. Dunn Lee, OIP\nD. Rathbun, OCA\nW. Beecher, OPA\nA. Vietti-Cook, SECY\nW. Kane, DEDH/OEDO\nC. Paperiello, DEDMRS/OEDO\nP. Norry, DEDM/OEDO\nM. Springer, ADM\nJ. Dyer, NRR\nG. Caputo, OI\nP. Bird, HR\nC. Kelley, SBCR\nM. Virgilio, NMSS\nS. Collins, DEDR\nA. Thadani, RES\nP. Lohaus, STP\nF. Congel, OE\nM. Federline, NMSS\nR. Zimmerman, NSIR\nR. Wessman, IRO\nH. Miller, RI\nL. Reyes, RII\nJ. Caldwell, RIII\nB. Mallett RIV\nOPA-RI\nOPA-RII\nOPA-RIII\nOPA-RIV\n\x0c                                                 Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\nEXECUTIVE SUMMARY\n\n    BACKGROUND\n\n          The definition of safeguards information (SGI) is derived from Section 147 of the\n          Atomic Energy Act of 1954, as amended. It deals with information related to the\n          physical protection of operating power reactors, spent fuel shipments, or the\n          physical protection of special nuclear material. The U.S. Nuclear Regulatory\n          Commission (NRC) carries out the Act through the Code of Federal Regulations\n          and management directives to ensure that SGI is handled appropriately and is\n          protected from unauthorized disclosure.\n\n    PURPOSE\n\n          The Office of the Inspector General (OIG) conducted this audit to determine\n          whether NRC adequately defines what constitutes safeguards information,\n          ensures its protection, and prevents its inappropriate release to individuals who\n          should not have access to it.\n\n    RESULTS IN BRIEF\n\n          NRC has the authority, under the Atomic Energy Act, to establish an SGI\n          program. However, OIG identified the following weaknesses in the SGI program:\n\n          \xe2\x80\x98      The benefit of the SGI designation as sensitive unclassified information is\n                 not clear.\n\n          \xe2\x80\x98      Examples in which NRC and licensee representatives inappropriately\n                 released SGI to unauthorized individuals.\n\n          \xe2\x80\x98      NRC does not have a central authority for controlling, coordinating and\n                 communicating SGI program requirements.\n\n\n    A. SAFEGUARDS DESIGNATION MAY NOT BE NEEDED\n\n          NRC\xe2\x80\x99s SGI program contains similarities to the Government-wide program to\n          protect confidential information. As such, the benefits of maintaining a separate\n          program are not clearly justified in relation to the cost. Moreover, the agency\n          recently established a SGI-Modified Handling (SGI-M) designation that requires\n          some SGI information to be handled similarly to official use only information. As\n          a result, the agency now has two classes of SGI for marking protected\n          information, both of which appear similar to other programs. Yet, NRC has\n          determined neither the cost of maintaining nor the benefit derived from these\n          separate programs. Without this kind of data, no one knows whether the SGI\n          program should continue or be subsumed under the government-wide program.\n\n\n                                           i\n\x0c                                            Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nB. INAPPROPRIATE RELEASE OF SAFEGUARDS INFORMATION\n\n     Recent inappropriate releases of SGI occurred because of handling errors and\n     differing interpretations of what constitutes SGI. The agency is currently\n     reviewing the requirements related to SGI to ensure that the appropriate\n     protections are in place and that the requirements and guidance are clear. In\n     addition, at the time of this report, agency officials were developing a guidance\n     document to describe SGI clearly. However, until adequate tools and training\n     are provided to help with the correct designation and handling of SGI, the\n     likelihood of releasing SGI to unauthorized individuals remains. In effect, NRC\n     has an SGI program that some users do not understand or do not know how to\n     handle the SGI material.\n\nC. NO CENTRAL PROGRAM AUTHORITY FOR PROTECTING SGI\n\n     NRC controls do not ensure the protection of SGI because the agency lacks a\n     strong, coordinated SGI program. SGI responsibilities are split between various\n     agency offices and no entity controls the overall SGI program. This\n     decentralization of authority has resulted in (1) inadequate training to identify,\n     handle and distribute SGI, (2) insufficient coordination of the acquisition of\n     secure telecommunications equipment, (3) inadequate installation, maintenance\n     and testing of that equipment, (4) uncoordinated planning for automated\n     processing of SGI, and (5) flawed guidance on the use of LAN-based computers\n     to process SGI.\n\nRECOMMENDATIONS\n\n     The consolidated list of recommendations to the Executive Director for\n     Operations is on page 17.\n\nAGENCY COMMENTS\n\n     The Deputy Executive Director for Homeland Security and Preparedness stated\n     that NRC has made significant strides in improving the protection of SGI by NRC\n     employees and licensees subsequent to the events of September 11, 2001.\n     Overall, he believes that the SGI program is fulfilling its intended function.\n     However, he also acknowledges that improvements can be made to the program\n     and essentially agrees with the report\xe2\x80\x99s recommendations. The Deputy\n     Executive Director\xe2\x80\x99s major concern centers on the continued justification for an\n     SGI program vis-a-vis the national classified information system. He specifically\n     believes that it would not be an appropriate use of the NRC staff\xe2\x80\x99s time and\n     resources to conduct a cost-benefit study to justify the SGI designation. He\n     asked that OIG look at the wording of this recommendation to assure that it\n     accurately captures the OIG intent. The Deputy Executive Director also provided\n     detailed comments on the draft report for OIG consideration. (See appendix B\n     for a copy of the comments provided by the Deputy Executive Director.)\n\n\n\n                                      ii\n\x0c                                              Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nOIG ANALYSIS OF AGENCY COMMENTS\n\n      The primary issue to OIG is whether continuing the SGI designation is justifiable\n      on its merits. During the course of this audit, the primary justification provided by\n      NRC staff for maintaining the SGI designation was the cost associated with\n      doing away with the designation and using the confidential designation in its\n      place. Furthermore, the more detailed comments to the draft report provided by\n      the Deputy Executive Director continued to discuss the costs associated with\n      eliminating the SGI designation.\n\n      OIG has reworded its initial recommendation to ensure that NRC formally\n      documents the justification for continued use of the SGI designation. The\n      justification could take several forms, such as a formal legal opinion that SGI is\n      required based on congressional or presidential direction, or it could be justified\n      on the basis of cost of maintaining the current SGI designation vis-a-vis the cost\n      of using the confidential designation. During the audit, NRC staff was not able to\n      provide any formal justification for the SGI designation other than anecdotal\n      accounts of the significant cost involved if it were to change or that it has been\n      done this way for the last 20 years. The issue for OIG is whether, in light of the\n      events of September 11, 2001, and a subsequent Executive Order redefining\n      confidential information, business as usual is still justified. (See appendix C for\n      detailed OIG analysis of the Deputy Executive Director\xe2\x80\x99s comments.)\n\n\n\n\n                                        iii\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                              Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\nABBREVIATIONS AND ACRONYMS\n\n    ADM       Office of Administration\n    AEA       Atomic Energy Act\n    CFR       Code of Federal Regulations\n    COMSEC    Communications Security\n    EDO       Executive Director for Operations\n    Fax       Facsimile machine\n    ISDN      Integrated Services Digital Network\n    LAN       Local Area Network\n    MD        Management Directive\n    NMSS      Office of Nuclear Materials Safety and Safeguards\n    NRC       U. S. Nuclear Regulatory Commission\n    NRR       Office of Nuclear Reactor Regulation\n    NSA       National Security Agency\n    NSIR      Office of Nuclear Security and Incident Response\n    NUREG     NRC technical report designation\n    OCIO      Office of the Chief Information Officer\n    OIG       Office of the Inspector General\n    RIS       Regulatory Issue Summary\n    SGI       safeguards information\n    STE       Secure Terminal Equipment\n    STU-III   Secure Telephone Unit\n\n\n\n\n                                         v\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n    ABBREVIATIONS AND ACRONYMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v\n    I.     BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n    II.    PURPOSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n    III.   FINDINGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n              A.      SAFEGUARDS DESIGNATION MAY NOT BE NEEDED . . . . . . . . . . . . . . . . . . . . 2\n              B.      INAPPROPRIATE RELEASE OF SAFEGUARDS INFORMATION . . . . . . . . . . . . . . . 6\n              C.       NO CENTRAL PROGRAM AUTHORITY FOR PROTECTING SGI . . . . . . . . . . . . . 8\n    IV. NRC MANAGEMENT INITIATIVES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14\n    V.     CONSOLIDATED LIST OF RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . 17\n\n\n    APPENDIX\n\n\n    A.     SCOPE AND METHODOLOGY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19\n    B.     AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21\n    C.     DETAILED OIG ANALYSIS OF AGENCY COMMENTS . . . . . . . . . . . . . . . . . . . 29\n\n\n\n\n                                                            vii\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              viii\n\x0c                                                          Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\nI. BACKGROUND\n\n            Based on a congressional request, the Office of the Inspector General (OIG)\n            conducted an audit and issued a report on the U.S. Nuclear Regulatory\n            Commission\xe2\x80\x99s (NRC) handling and marking of sensitive unclassified information1.\n            The objective of that audit was to assess NRC\xe2\x80\x99s program for handling, marking,\n            and protecting one category of sensitive unclassified information \xe2\x80\x94 official use\n            only. During that audit, an NRC Commissioner raised concerns about whether\n            NRC staff clearly understood what constitutes safeguards information, another\n            category of sensitive unclassified information. As a result, OIG initiated a follow-\n            on audit concerning the protection of safeguards information.\n\n            Derivation of Safeguards Information\n\n            The definition of safeguards information (SGI) is derived from Section 147 of the\n            Atomic Energy Act (AEA) of 1954, as amended. It deals with information related\n            to the physical protection of operating power reactors, spent fuel shipments, or\n            the physical protection of special nuclear material. The AEA states that SGI\n            identifies a licensee\xe2\x80\x99s or applicant\xe2\x80\x99s detailed:\n\n            \xe2\x80\xa2        Control and accounting procedures or security measures for the physical\n                     protection of special nuclear material;\n            \xe2\x80\xa2        Security measures for the physical protection of source material or\n                     byproduct material; and,\n            \xe2\x80\xa2        Security measures for the physical protection of and the location of\n                     certain plant equipment.\n\n            NRC Internal Controls for Safeguards Information\n\n            Following the AEA, NRC developed regulations to prevent the unauthorized\n            disclosure of SGI. NRC stipulated licensee requirements for protecting\n            safeguards information in Title 10 of the Code of Federal Regulations, Part 73,\n            Physical Protection of Plants and Materials, Section 73.21, (10 CFR 73.21).\n\n            SGI is part of NRC\xe2\x80\x99s Sensitive Unclassified Information security program.\n            Sensitive unclassified information consists of information designated as\n            safeguards, official use only, and proprietary. It also includes unclassified\n            information received from other sources (e.g., Government agencies,\n            contractors, licensees) and requires special protective measures.\n\n\n\n\n    1\n      OIG-03-A-01, Review of NRC\xe2\x80\x99s Handling and Marking of Sensitive Unclassified Information, October 16,\n    2002.\n\n                                                   1\n\x0c                                                Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n          Management Directive and Handbook (MD) 12.6, NRC Sensitive Unclassified\n          Information Security Program, provides staff requirements to protect SGI. These\n          requirements state that SGI:\n\n          \xe2\x80\xa2      must be communicated over secure telecommunications equipment;\n          \xe2\x80\xa2      must not be processed on the local area network (LAN);\n          \xe2\x80\xa2      must be properly marked; and,\n          \xe2\x80\xa2      must include a cover sheet to facilitate its recognition.\n\n\nII. PURPOSE\n\n          OIG performed this audit to determine whether NRC adequately:\n\n          \xe2\x80\x9a      defines SGI;\n          \xe2\x80\x9a      prevents the inappropriate release of SGI to anyone who should not have\n                 access to it; and,\n          \xe2\x80\x9a      ensures the protection of SGI.\n\n          Appendix A provides a detailed description of the audit\xe2\x80\x99s scope and\n          methodology.\n\n\nIII. FINDINGS\n\n          NRC has the authority, under the Atomic Energy Act, to establish an SGI\n          program. However, OIG identified the following weaknesses in the SGI program:\n\n          \xe2\x80\x98      The benefit of the SGI designation as sensitive unclassified information is\n                 not clear.\n          \xe2\x80\x98      Examples in which NRC and licensee representatives inappropriately\n                 released SGI to unauthorized individuals.\n          \xe2\x80\x98      NRC does not have a central authority for controlling, coordinating and\n                 communicating SGI program requirements.\n\n\n     A. SAFEGUARDS DESIGNATION MAY NOT BE NEEDED\n\n          NRC\xe2\x80\x99s SGI program contains similarities to the government-wide program to\n          protect confidential information. As such, the benefits of maintaining a separate\n          program are not clearly justified in relation to the cost. Moreover, the agency\n          recently established a SGI-Modified Handling (SGI-M) designation that requires\n          some SGI information to be handled similarly to official use only information. As\n          a result, the agency now has two classes of SGI for marking protected\n\n\n\n\n                                          2\n\x0c                                                  Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n        information, both of which appear similar to other programs. Yet, NRC has\n        determined neither the cost of maintaining nor the benefit derived from these\n        separate programs. Without this kind of data, no one knows whether the SGI\n        program should continue or be subsumed under the government-wide program.\n\n        Background\n\n        According to an NRC official, early in the agency\xe2\x80\x99s history, NRC recognized the\n        need to protect particular information related to nuclear topics that were not\n        classifiable under the National Security Information regime. Consequently, NRC\n        instituted a category of Sensitive But Unclassified information known as\n        \xe2\x80\x9cSafeguards Information\xe2\x80\x9d under Section 147 of the Atomic Energy Act. As a\n        result, the NRC has a 20-year history of protecting sensitive nuclear information\n        that does not meet the criteria for classification as National Security Information.\n\n                Definition of Confidential vs. Safeguards Information\n\n        Executive Order 12958, Classified National Security Information2, defines\n        confidential information as that which \xe2\x80\x9cthe unauthorized disclosure of which\n        reasonably could be expected to cause damage to the national security.\xe2\x80\x9d\n        [Section 1.2. (a)(3)]\n\n        One classification category to which confidential can be applied is:\n\n                vulnerabilities or capabilities of systems, installations, infrastructures,\n                projects, plans, or protection services relating to the national security,\n                which includes defense against transnational terrorism. [Section 1.4. (g)]\n\n        The various departments and agencies of the Federal Government classified\n        approximately 23.7 million documents in FY 2002. The definition of classified\n        document is understood and is standardized across the Government.\n\n        SGI is defined as information related to the physical protection of operating\n        power reactors, spent fuel shipments, or the physical protection of special\n        nuclear material. NRC is the only agency that uses the SGI designation.\n        Although there is no empirical data, NRC officials estimate that there may be a\n        few thousand SGI documents.\n\n\n\n\n2\n As amended by Executive Order 13292 dated March 25, 2003.\n\n\n                                            3\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                  Handling of Safeguards Information vs. Confidential Information\n\n                  According to NRC\xe2\x80\x99s \xe2\x80\x9cMinimum Requirements for Handling Classified and\n                  Sensitive Unclassified Information,\xe2\x80\x9d confidential information and SGI are handled\n                  similarly.\n\nCategory of        Transmission     Control    Storage         Reproduction    Cover    Access           Classification\nInformation        Outside NRC      Records                    Authority       Sheet    Authorization    Designation\n                                                                                                         Authorities\n\nCONFIDENTIAL       Certified Mail   Optional   Approved        As Needed       Yes      \xe2\x80\x9cL\xe2\x80\x9d and          Authorized\n                                               Security        Unless                   Need-to-         Classifier\n                                               Container       Prohibited by            Know\n                                                               Originator\n\nSGI                First Class      No         Bar Lock        As Needed       Yes      Need-to-         NRC Section\n                   Mail                        File                                     Know             Chiefs and\n                                               Cabinet                                                   Above\n\n                  As can be seen in the chart, SGI is handled like confidential information, with\n                  some lighter restrictions. OIG believes the additional cost of protecting\n                  confidential information is minor (e.g., sending documents by certified mail\n                  instead of first class or the cost of an approved security container instead of a\n                  bar lock). Thus, the cost of maintaining the SGI designation (e.g., the cost of\n                  maintaining the regulations, training, etc.) could be more than the additional\n                  costs of protecting confidential information.\n\n                  Handling of Safeguards Modified Information vs. Official Use Only\n                  Information\n\n                  While safeguards and security information at nuclear reactor sites licensed by\n                  NRC are handled as SGI, the agency recently notified certain materials licensees\n                  that they could use the designation \xe2\x80\x9cSafeguards Information-Modified Handling\n                  (SGI-M).\xe2\x80\x9d Although civil and criminal penalties applicable to SGI apply to\n                  unauthorized disclosures of SGI-M, the handling of SGI-M is more relaxed --\n                  more like Official Use Only information.\n\nCategory of        Transmission     Control    Storage         Reproduction    Cover    Access           Classification\nInformation        Outside NRC      Records                    Authority       Sheet    Authorization    Designation\n                                                                                                         Authorities\n\nOFFICIAL USE       First Class      No         See 1.          As Needed       Yes      Need-to-         Originator\nONLY               Mail                        Below                                    Know\n\nSGI-M              First Class      No         See 2.          As Needed       Yes      Need-to-         NRC Section\n                   Mail                        Below                                    Know             Chiefs and\n                                                                                                         Above\n 1.       Official use only information stored in NRC space with approved electronic access control or NRC contract\n          guards require no additional physical security measures.\n\n 2.       SGI-M stored in licensee space must be stored in a locked file drawer or container. SGI-M stored in NRC\n          space must be protected in the same manner as regular SGI information (e.g., bar-lock file cabinets).\n\n\n                                                           4\n\x0c                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nAdditionally, materials licensees may produce or process SGI-M information on\nan automatic data processing system requiring the use of entry codes or\npasswords, without the use of a standalone computer.\n\nAdditional Considerations\n\nAgency officials pointed out that additional requirements would be necessary to\nchange the SGI designation from sensitive unclassified information to classified\ninformation. One such requirement would be the need for security clearances\nfor licensee employees. They also said that this action would require additional\ncosts and increase the length of time to hire a new employee. Agency officials\nhave differing opinions on the costs licensees would incur with a change in the\ndesignation of SGI. One agency official estimated additional costs of\n$10,000,000 to the industry, based on an average of 500 employees per site at a\ncost of $200 per employee (actual Government cost is $145 per employee).\nAnother estimated costs to the industry of $14,372,000, based on the same per\nemployee cost, but using an average of 838 employees per site. Licensees\nstated that current industry costs associated with obtaining criminal checks,\nfingerprint checks, psychological evaluations and other tests to bring on a new\nemployee average $486.\n\nOIG believes that the requirements to bring new employees onto licensee sites\nare basically the same as those associated with obtaining appropriate security\nclearances for having access to confidential information. If licensees were to\nuse NRC as the vehicle for their security checks, new employees would be\nproperly vetted and receive a Government security clearance for about $145, a\ncost savings to the licensees. However, no one has conducted an in-depth\nevaluation of the benefit of the current safeguards program as compared to the\nadditional cost, if any, of using the Government-wide confidential designation.\n\nSummary\n\nEspecially in the aftermath of the terrorist attacks on September 11, 2001, the\nOIG questions whether the designation of SGI as sensitive unclassified\ninformation is justified or cost effective. OIG believes SGI information can be\nprotected by the standard confidential classification with little or no additional\ncost. Moreover, SGI-M can be adequately protected by the standard official use\nonly designation.\n\nAgency Comment and OIG Response\n\nIn his comments responding to the final draft report (see Appendix B), the\nDeputy Executive Director for Homeland Security and Preparedness indicated\nhis major concern centers on the continued justification for an SGI program vis-\na-vis the national classified information system. He specifically believes that it\nwould not be an appropriate use of the NRC staff\xe2\x80\x99s time and resources to\n\n\n\n\n                                 5\n\x0c                                            Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n     conduct a cost-benefit study to justify the SGI designation. He asked that OIG\n     look at the wording of this recommendation to assure that it accurately captures\n     the OIG intent.\n\n     The primary issue to OIG is whether continuing the SGI designation is justifiable\n     on its merits. As a result, OIG has reworded its initial recommendation to ensure\n     that NRC formally document the justification for continued use of the SGI\n     designation. The justification could take several forms, such as a formal legal\n     opinion that SGI is required based on congressional or presidential direction, or it\n     could be justified on the basis of the cost of maintaining the current SGI\n     designation vis-a-vis the cost of using the confidential designation.\n\n     RECOMMENDATION\n\n     OIG recommends that the Executive Director for Operations:\n\n     1.     Formally document the justification for continued use of the safeguards\n            information designation.\n\nB. INAPPROPRIATE RELEASE OF SAFEGUARDS INFORMATION\n\n     Recent inappropriate releases of SGI occurred because of handling errors and\n     differing interpretations of what constitutes SGI. The agency is currently\n     reviewing the requirements related to SGI to ensure that the appropriate\n     protections are in place and that the requirements and guidance are clear. In\n     addition, at the time of this report, agency officials were developing a guidance\n     document to describe SGI clearly. However, until adequate tools and training\n     are provided to help with the correct designation and handling of SGI, the\n     likelihood of releasing SGI to unauthorized individuals remains. In effect, NRC\n     has an SGI program that some users do not understand or do not know how to\n     handle the SGI material.\n\n     Background\n\n     The definition of SGI is provided within the Atomic Energy Act (AEA), the Code\n     of Federal Regulations, agency management directives, and other agency\n     guidance. However, the definition of SGI results in instances of differing\n     interpretations.\n\n\n\n\n                                      6\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n         Differences in the Interpretation of Safeguards Information Between\n         Licensees and NRC\n\n         Licensees and NRC staff have different interpretations for applying the SGI\n         designation. OIG interviewed NRC resident inspectors3 and licensee security\n         officials at 15 commercial nuclear power plant sites and 6 nuclear research and\n         test reactor facilities to try to understand these differences.\n\n         Licensee officials generally stated that the guidance for applying SGI was not\n         clear, there are inconsistencies in the guidance, and that over the years NRC\n         staff has imposed self-interpretations for SGI. A specific area of confusion is the\n         information included in licensees\xe2\x80\x99 weekly security force reports issued for each\n         commercial nuclear power plant to NRC. Resident inspectors and licensee\n         security officials stated that licensees do not believe the information provided for\n         the weekly security force report is SGI, yet NRC designates this as SGI.\n\n         Inappropriate Releases of SGI\n\n         Weaknesses in the SGI program are further evidenced by inappropriate releases\n         of SGI in documents and on public websites. One licensee presented a\n         contingency plan to Region IV that the licensee believed was cleansed of SGI.\n         The report made it through two licensee revisions without any identification that it\n         contained SGI. On its third revision, an NRC official determined the report\n         contained SGI. By this time, the licensee had shared the contingency plan with\n         local law enforcement and had to collect it back from them. In another instance,\n         a licensee prepared a presentation with pictures that compromised the security\n         of a commercial nuclear power plant. Originally, NRC expressed no concerns\n         that the presentation contained SGI and included it on the agency\xe2\x80\x99s website. It\n         was not until an NRC headquarters official determined that the presentation\n         included SGI that the agency removed the presentation from the website.\n\n         Recent events involving NRC employees provide further evidence of\n         weaknesses in control and handling of SGI.\n\n         \xe2\x80\x98        An NRC employee distributed a document that contained force-on-force\n                  program findings to the public. The employee believed the report was\n                  \xe2\x80\x9csanitized\xe2\x80\x9d and distributed the report to nuclear industry officials, who\n                  then distributed the report to the press. NRC officials later determined\n                  that the report contained SGI that had not been properly marked.\n\n\n\n\n3\n For purposes of this report, OIG uses the term \xe2\x80\x9c resident inspectors\xe2\x80\x9d to denote NRC staff interviewed at\ncommercial nuclear power reactor sites and does not distinguish between resident inspectors and senior\nresident inspectors.\n\n\n                                                7\n\x0c                                             Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n     \xe2\x80\x98      The release of SGI occurred at an industry-sponsored meeting when a\n            guest NRC speaker mentioned SGI relating to the agency\xe2\x80\x99s force-on-\n            force security testing program. However, the SGI had already been\n            publicly available through other sources.\n\n     \xe2\x80\x98      NRC staff made another document related to the force-on-force program,\n            which contained SGI, available to the public on the external NRC website.\n\n     A March 2003 NRC release of SGI shows the possible significant consequences\n     of not having adequate controls over this type of information. NRC had\n     developed a Regulatory Issue Summary (RIS) containing agency designated\n     SGI. The RIS was intended for \xe2\x80\x9call power reactor (including decommissioning\n     reactor) licensees, independent spent fuel storage installation licensees, the\n     conversion facility licensee, gaseous diffusion plant licensees, and Category I\n     fuel cycle facility licensees.\xe2\x80\x9d However, NRC released the RIS not only to the\n     identified groups, but also to Category III fuel cycle facility licensees and certain\n     vendors. According to an NSIR official, this was because one program office\n     provided an inappropriate mailing list that included entities that should not have\n     received the document. This NSIR official added that the staff responsible for\n     the mailing was \xe2\x80\x9cjunior staff\xe2\x80\x9d who did not recognize the inappropriate addresses.\n     To compound the severity of this release, the RIS contained specific information\n     about methods and techniques of defeating physical barriers at nuclear facilities,\n     which would be of value to potential adversaries.\n\n     Summary\n\n     These examples of inappropriate releases resulted from a combination of\n     handling errors and differing interpretations of what information constitutes SGI.\n     Without clear guidance on how to designate SGI, agency and licensee staff will\n     continue to release SGI to unauthorized individuals inappropriately. The agency\n     is preparing a guidance document to help with the identification of SGI; however,\n     it is not yet complete.\n\n     RECOMMENDATION\n\n     OIG recommends that the Executive Director for Operations:\n\n     2.     Finalize and issue the safeguards information designation guidance\n            document currently being developed.\n\nC. NO CENTRAL PROGRAM AUTHORITY FOR PROTECTING SGI\n\n     NRC controls do not ensure the protection of SGI because the agency lacks a\n     strong, coordinated SGI program. SGI responsibilities are split between various\n     agency offices and no entity controls the overall SGI program. This\n     decentralization of authority has resulted in (1) inadequate training to identify,\n     handle and distribute SGI, (2) insufficient coordination of the acquisition of\n\n\n                                       8\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n         secure telecommunications equipment, (3) inadequate installation, maintenance\n         and testing of that equipment, (4) uncoordinated planning for automated\n         processing of SGI, and (5) flawed guidance on the use of LAN-based computers\n         to process SGI.\n\n         Background\n\n         Aspects of the SGI program are split among the NRC\xe2\x80\x99s Offices of Administration\n         (ADM), Nuclear Security and Incident Response (NSIR), the Chief Information\n         Officer (OCIO), Nuclear Material Safety and Safeguards (NMSS), and Nuclear\n         Reactor Regulation (NRR). While NRC has a single agency official for homeland\n         protection and preparedness issues, SGI protection controls are fragmented.\n         As a result, there is no central authority for the agency\xe2\x80\x99s SGI program and no\n         single organization controls the program.\n\n                          Distribution of SGI Responsibilities\n                             ADM            NSIR           OCIO            NMSS           NRR\nInform Licensees                                                              /            /\nof Guidance\nTraining NRC                   /               /              /\nEmployees\nComputer                                                      /\nProcessing\nSecure Telephones                              /\nISDN Lines4                                                   /\nRequirements                   /\nInformation5\n\n         NRC has invested more than $600,000 to provide secure telecommunications\n         equipment in headquarters, the four regional offices, and at all resident inspector\n         offices. The agency did this to ensure the agency could send classified\n         information to the licensees. The Commission believed that licensees were\n         entitled to the information necessary to evaluate the threats to their plants and to\n         defend their facilities. This policy resulted in an exponential growth in the\n         secure telecommunications equipment for which the agency is responsible. NRC\n         acquired Secure Terminal Equipment (STE)6 for use at headquarters and the\n         regional offices. The agency also distributed older Secure Telephone Units -\n\n\n4\n The Integrated Services Digital Network is a high speed digital communication network.\n\n5\n Minimum Requirements for Handling Classified and Sensitive Unclassified Information.\n\n6\n The STE is secure voice and data equipment designed for use on digital communications networks,\nalthough they can operate in the analog mode.\n                                                9\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n          Model 3 (STU-III)7(previously possessed by NRC or provided by the U.S. Army)\n          to resident inspector offices at commercial nuclear power reactor sites. NRC\n          also purchased secure fax machines to be connected and used jointly with the\n          secure telephones.\n\n\n                           Equipment         Number          Cost\n                              STE              94          $370,000\n                             STU-III           71             -0-\n                           Secure Fax          78          $242,000\n                            TOTAL                          $612,000\n    STE\n\n          In addition, licensees will pay more than $45,000 for security clearances to allow\n          direct communication with NRC officials over the secure telecommunications\n          equipment in the resident inspector offices. NRC directed that five licensee\n          representatives at each site receive a security clearance8. To obtain each\n          clearance, licensees pay NRC a fee of about $145 for each security clearance, or\n          $725 per site for 65 sites.\n\n          Inadequate Training\n\n          Training related to SGI is fragmented. There is no single point of ownership for\n          training on handling and protecting information among the program offices.\n          NMSS officials stated that, while they are not responsible for training other NRC\n          employees and contractors, they do provide training for their own staff. ADM\n          officials stated they stopped providing training in information security areas for\n          NRC employees and contractors since the creation of NSIR. However, ADM\n          does give NRC employees certain types of security education, programs and\n          security awareness tools.\n\n          Before June 2003, NRC had not provided agency-wide SGI training to agency\n          employees. Some program offices within NRC headquarters requested training on\n          the handling of sensitive unclassified information and received it within the past\n          year. The same is true for all four of NRC\xe2\x80\x99s regional offices. However, not all\n          employees involved with or responsible for controlling SGI had received formal\n          documented training. In response to OIG\xe2\x80\x99s previous audit report on the handling\n          and marking of sensitive unclassified information, NSIR agreed to develop a\n          comprehensive security education program for handling both classified and\n          sensitive unclassified information that includes SGI. NRC completed this training\n          for agency employees in July 2003.\n\n\n\n\n7\n The STU-III is a secure analog telephone unit that can encrypt voice and data communications worldwide.\n\n8\n Licensee representatives will receive an \xe2\x80\x98L\xe2\x80\x99 security clearance based on a national agency check with\ninquiries.\n                                               10\n\x0c                                                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n        Acquisition of Secure Telecommunications Equipment\n\n        An additional benefit of secure telecommunications equipment is using it to\n        transmit SGI. ADM had responsibility for the FY 2002 installation of secure\n        telecommunication equipment in the resident inspector offices at commercial\n        nuclear power plants. During this period, ADM also was the Central Office of\n        Record11 for the agency. NRC got the equipment expeditiously because of the\n        concerns of additional terrorist attacks. After NSIR was established, ADM\xe2\x80\x99s\n        duties were transferred to that office.\n\n        NSIR will need to consult with OCIO to install ISDN lines to operate secure\n        telephone equipment because OCIO controls the acquisition and installation of\n        ISDN lines. This collaboration between OCIO and NSIR will be integral for\n        making decisions about future alternatives to the secure telephones. For\n        example, National Security Agency (NSA) officials told OIG that new equipment\n        is now available that can encrypt conversations through regular telephones. This\n        is possible without the use of special equipment, such as STU-IIIs or STEs, or an\n        ISDN line. As a result, NRC needs to coordinate future secure\n        telecommunications equipment purchases among responsible offices to ensure\n        that appropriate equipment is obtained.\n\n                 Inadequate Installation, Maintenance, and Testing of Secure\n                 Equipment\n\n        Installation\n\n        Agency requirements state that secure telecommunications equipment that is\n        newly installed, moved, or modified must not be operated until ADM has done\n        the required security checks. ADM-authorized qualified maintenance personnel\n        also must determine that the equipment is properly installed with all required\n        modifications and ready for operation. These requirements were written (1)\n        when very few secure telephones existed, (2) when the secure telephones were\n        mostly in headquarters and the regional offices, and (3) before NSIR assumed\n        the responsibilities of ADM for these activities. While these requirements are still\n        applicable today, they were not followed when the agency installed the new\n        secure telecommunications equipment in the resident inspector offices. Agency\n        officials said that OCIO had previously provided one person whose primary\n        responsibility was to visit headquarters and regional office sites where secure\n        telecommunications equipment was found and provide technical services.\n        However, while installing the new STEs, OCIO provided assistance for\n        configuring ISDN lines, which were primarily installed at headquarters.\n\n\n\n\n11\n The Central Office of Record performs oversight of all NRC communications security accounts and\ncoordinates all communications security activities with the National Security Agency for NRC.\n                                             11\n\x0c                                                        Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                 Maintenance\n\n                 Communications security (COMSEC) custodians12 are not responsible for the\n                 physical maintenance of the secure equipment, although they may be called\n                 upon for troubleshooting the operation of that equipment. An OCIO manager\n                 stated that COMSEC custodians do not have the technical expertise to maintain\n                 the secure equipment. Also, this manager said that OCIO itself did not have the\n                 additional technical resources needed to support all of the secure\n                 telecommunications equipment. Although NSIR asked regional management to\n                 provide COMSEC support for installing and maintaining secure\n                 telecommunications equipment, regional management expressed concern that\n                 the equipment would require additional resources for which they are not currently\n                 budgeted. As such, the agency does not currently provide the necessary\n                 resources to visit each site to install and test secure telecommunications\n                 equipment.\n\n                 Testing\n\n                 OIG directed limited testing of the secure telecommunication system to\n                 determine whether it worked as intended and if agency staff were familiar with its\n                 operation. Testing determined that NRC\xe2\x80\x99s secure telecommunications system\n                 may not work when needed and SGI could be compromised.\n\n                 OIG observed twenty-two tests of the secure\n                 telephones and fax machines. Four tests               Successful Phone Calls on the\n                 were initiated from NRC headquarters and                       1st Attempt\n                 18 from the backup Incident Response\n                                                                          20               17\n                 Operation Center. Seventeen of the tests                 15\n                 failed on the first attempt to obtain a secure           10     5\n                                                                           5\n                 connection and then receive and                           0\n                                                                                ye s      no\n                 subsequently transmit a secure fax\n                 transmission. Five of the tests performed\n                 properly on the first attempt.\n\n                                              Of the 17 initial failed tests, 5 sites were never able\n     Reasons for Failures                     to send or receive a fax. The remaining 12 sites\n                           No\n                       Successful\n                                              failed due to unsuccessful initial telephone\n     Other\n                        Attempts\n                          18%\n                                              connections, failed fax fuses, or failure of a STU-III\n     24%\n                                              to connect with a STE or vice-versa. The other\n                                              category includes issues such as: a security safe\n                            Fuses Blown\n                                              that would not open, which prevented the resident\n                               24%            inspector from retrieving the encryption key needed\n  Equipment\n                                              to activate the secure telephone; a caller switching\n Incompatibili\n      ty\n                                              from secure data before the fax transmission was\n     34%\n                                              completed; and, two cases when the reasons for\n                                              failure were indeterminate.\n\n\n12\n  The agency has identified COMSEC custodians within headquarters and at each regional office to provide\ntraining to secure telecommunications users in their office or region and perform a semi-annual physical\ninventory of all secure telecommunications equipment.\n                                                 12\n\x0c                                                   Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n        NSIR representatives said that, prior to OIG's test, the agency only tested the\n        secure network after the initial installation of the secure telecommunications\n        equipment at each resident inspector office. Furthermore, there were no plans\n        to establish ongoing, periodic testing. Resident inspectors recognized there\n        were operational problems with the secure telecommunications equipment, but\n        they did not appear overly concerned. Some stated that, in an emergency, they\n        would opt to use the regular telephone as management directives provided\n        examples of extraordinary circumstances under which SGI may be discussed\n        over unsecured telephone lines. However, it is NRC's policy to use the secure\n        telecommunications system equipment for the day-to-day transmittal of SGI and\n        classified infomation.\n\n        Uncoordinated Planning for Automated Processing of SGI\n\n        NRC is considering using encrypted e-mail to transmit SGI. Prior to establishing\n        NSIR, a working group made up of representatives from various NRC program\n        offices and industry representatives discussed the need to electronically transmit\n        SGI. The working group developed NRC RIS 2002-15, NRC Approval of\n        Commercial Data Encryption Systems for the Electronic Transmission of\n        Safeguards Information, dated August 28, 2002. This document provides\n        guidance on obtaining agency approval of commercial data encryption systems\n        for the electronic transmission of SGI.\n\n        To develop a viable electronic transmission and processing program for SGI,\n        agency officials will need to work collaboratively. While OCIO is responsible for\n        computer processing, ADM is responsible for access authorization, NSIR for\n        information security, and NMSS and NRR for providing guidance to the\n        licensees. Although all of these offices concurred in the development of NRC\n        RIS 2002-15, no single office has overall authority to coordinate and control the\n        program to ensure consistency of effort, economy and efficiency in application.\n\n        Technically Flawed Guidance for Computer Processing of SGI\n\n        NRC guidance on processing SGI on computers is technically flawed.\n        NUREG/BR-0168, Revision 213 allows the use of a LAN-based computer for\n        processing SGI as long as the computer is disconnected from the LAN prior to its\n        use in processing SGI. However, NSA officials stated that this method places a\n        shadow file on the hard drive of the computer, which then could be accessed\n        through the LAN when the computer is reconnected. NSA studies found traces\n        of classified documents on hard drives even though documents were processed\n        using floppy disks. In short, SGI should not be processed on any computer that\n        is or will be connected to the LAN.\n\n\n\n\n13\n NUREG/BR-0168, Revision 2 Policy for Processing and Handling Unclassified Safeguards Information\nand Other Sensitive Information in the NRC Local-Area /Wide-Area Network Environment, December 1999.\n                                            13\n\x0c                                               Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n         Summary\n\n         In order for NRC to maintain a sound and effective SGI program, it must be\n         managed by a central authority. That authority should have the ability to engage\n         resources throughout the agency and be able to hold them accountable for the\n         tasks at hand. In addition, a central authority would be able to ensure a\n         consistent application of SGI guidance and training, and maintain oversight for\n         secure telecommunications equipment and automated processing of SGI.\n         While NRC has a single agency official for homeland protection and\n         preparedness issues, there is no central authority for the agency\xe2\x80\x99s SGI program.\n\n         NRC has invested more than $600,000 in secure telecommunications equipment\n         for a classifed information and SGI (sensitive unclassified) program that is not\n         working as intended. The amount of secure telecommunications equipment\n         currently within the agency has outgrown NRC's resources to provide adequate\n         installation, oversight, and maintenance of that equipment. The agency needs\n         to perform regular, documented tests to ensure that the secure\n         telecommunications network is operating properly and that NRC staff is familiar\n         with its operation. Additionally, agency guidance on computer processing of SGI\n         must clearly indicate that the use of a LAN-based system is prohibited.\n\n         RECOMMENDATIONS\n\n         OIG recommends that the Executive Director for Operations:\n\n         3.     Designate a central authority for controlling, communicating and\n                coordinating the safeguarrds information program.\n\n         4.     Provide adequate resources to ensure the timely installation,\n                maintenance, and troubleshooting of problems with secure\n                telecommunications equipment.\n\n         5.     Formalize a program for periodic testing and documentation of the secure\n                telecommunications network.\n\n         6.     Revise NRC procedures to eliminate the processing of SGI on the LAN.\n\n\nIV. NRC MANAGEMENT INITIATIVES\n\n         NSIR is making progress on corrective actions in answer to the\n         recommendations made in the recently issued OIG audit report on the handling\n         and marking of sensitive unclassified information. Specifically, the office is\n         conducting a total review of MD 12.6 to make the guidance more prescriptive\n         and is developing a security education program. This program will be used for\n         training NRC employees and contractors about the handling of both classified\n         and unclassified sensitive information.\n\n\n                                        14\n\x0c                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nOn May 20, 2003, NSIR issued a Yellow Announcement reminding agency staff\nof the requirement to report inadvertent releases to the EDO and the OIG. The\nannouncement also notified agency staff of available monthly training concerning\nthe protection and handling of classified and sensitive unclassified information.\nNSIR also conducted mandatory security classes in June and July 2003, in\nresponse to recommendations made in OIG\xe2\x80\x99s earlier audit report. After that,\nNSIR will continue to provide monthly training sessions at the request of the\nprogram offices, as long as there are at least 5 to 10 individuals that need the\ntraining. Although NSIR is taking actions to strengthen the controls over\nsensitive unclassified information, OIG believes that the information and\nrecommendations contained in this report must be factored into any revised\ntraining program NSIR develops.\n\nThe cover sheets for classified information and SGI were modified to include\ninstructions on the proper handling of documents containing these types of\ninformation. The cover sheet for SGI was changed from green to purple to\nbetter distinguish it from the Official Use Only cover sheet, which is green and\nwhite. Instructions for marking, storing, handling and transmitting SGI are\nincluded on the reverse side of the cover sheet to provide users with a quick\nreference guide on handling and protecting SGI. The requirement for the use of\nsecure telecommunications equipment is also highlighted for the electronic\ntransmission of SGI. Having the guidance on the cover sheet provides\ninformation to those employees who do not often handle SGI, and provides a\nquick refresher for those who are more familiar with the requirements. Effective\nMay 15, 2003, agency personnel were requested to cease using the green\nversion of the SGI cover sheet and begin using the purple cover sheet.\n\nAlthough NRC implemented a plan in June 2002 for the comprehensive review of\nsafeguards and security programs for NRC-licensed facilities and activities, it\nhas yet to complete the actions designated in that plan. Of particular interest to\nthe subject of this report, the agency has not completed its review of the\nrequirements related to SGI. The recommendations contained in this report\nmust be factored into any further implementation and completion of that plan.\n\n\n\n\n                                15\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              16\n\x0c                                              Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1.     Formally document the justification for continued use of the safeguards\n               information designation.\n\n        2.     Finalize and issue the safeguards information designation guidance\n               document currently being developed.\n\n        3.     Designate a central authority for controlling, communicating and\n               coordinating the safegurards information program.\n\n        4.     Provide adequate resources to ensure the timely installation,\n               maintenance, and troubleshooting of problems with secure\n               telecommunications equipment.\n\n        5.     Formalize a program for periodic testing and documentation of the secure\n               telecommunications network.\n\n        6.     Revise NRC procedures to eliminate the processing of SGI on the LAN.\n\n\n\n\n                                       17\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              18\n\x0c                                              Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                                                                                   APPENDIX A\nSCOPE AND METHODOLOGY\n\n        OIG audited the protection of safeguards information at NRC. To accomplish\n        the audit objectives, OIG reviewed NRC Management Directives, agency\n        guidance, OIG reports, and outside agency documents. Auditors interviewed\n        NRC employees, licensee security officials, Department of Energy employees,\n        and representatives from the National Security Agency to determine their\n        understanding of the SGI definition, familiarity with the operation of the secure\n        telecommunication equipment and practices for protecting SGI. OIG performed\n        tests of the secure telephones and fax machines located at Regions I and IV and\n        22 different resident inspector sites.\n\n        The work was conducted from October 2002 through April 2003 in accordance\n        with generally accepted Government auditing standards and included a review of\n        management controls related to the objectives of the audit.\n\n        The major contributors to this report were: Russell Irish, Team Leader;\n        Shyrl Coker, Audit Manager; David Ditto, Management Analyst; and\n        William Kemper, Technical Advisor.\n\n\n\n\n                                        19\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              20\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                                                                                           APPENDIX B\nAGENCY COMMENTS\n\n                                             December 12, 2003\n\n\nMEMORANDUM TO:                Stephen D. Dingbaum\n                              Assistant Inspector General for Audits\n\n\nFROM:                         William F. Kane /RA/\n                              Deputy Executive Director for Homeland\n                               Protection and Preparedness\n                              Office of the Executive Director for Operations\n\n\nSUBJECT:                      OIG DRAFT REPORT: AUDIT OF NRC\xe2\x80\x99S PROTECTION OF\n                              SAFEGUARDS INFORMATION\n\n\nThis memorandum is in response to your memorandum dated October 28, 2003, forwarding the\nOffice of the Inspector General\xe2\x80\x99s (OIG\xe2\x80\x99s) draft audit report entitled \xe2\x80\x9cAudit of NRC\xe2\x80\x99s Protection of\nSafeguards Information\xe2\x80\x9d for staff review and comment. There has been more extensive\ninteraction between OIG and NRC staff regarding this draft report which has led to an unusual\ndelay in my providing you this response.\n\nAfter receipt of the draft report in August 2003, the staff had several issues with the conclusions\nreached by OIG, including some of the facts on which those conclusions were based. Of\nparticular concern were two items: (1) the broad conclusion reached regarding the staff\xe2\x80\x99s\ncontrol of safeguards information (SGI) and (2) the recommendation that the staff perform a\ncost-beneficial analysis to justify the continued use of SGI. Comments on the draft report,\nwhich focused heavily on the above two items, were provided to you and your audit team during\nboth a teleconference and a subsequent exit conference in early September 2003. Additionally,\nthere have been several follow-up interactions between OIG and the NRC staff to further our\nunderstanding of the basis for OIG\xe2\x80\x99s conclusions and recommendations, as well as better\nexplain the NRC staff\xe2\x80\x99s concerns with the draft report. It is my understanding that this has\nresulted in a number of changes that will be reflected in the final report. I appreciate the\nwillingness of the OIG to remain open to the feedback provided by the staff.\n\nRegarding the OIG recommendation that NRC perform a cost-benefit study relative to\nsustaining the SGI designation, it is my understanding that the OIG\xe2\x80\x99s intent is that the staff\nevaluate if alternatives to the current SGI program are warranted vice doing a formal cost-\nbenefit analysis. Given its clear statutory role, the lack of a reasonable alternative, and its\ncurrent role in providing an essential information designation and protection system, doing such\na cost-benefit analysis would not be an appropriate use of the NRC staff\xe2\x80\x99s time and resources.\nI would ask you to look at the wording of this recommendation to assure that it accurately\ncaptures the OIG intent.\n\n\n\n\n                                                21\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                                               -2-\n\nThe OIG has identified several areas in which the current SGI program can be improved, and\nwe essentially agree with these recommendations. Overall, however, the SGI program is\nfulfilling its intended function of protecting sensitive security information related to nuclear\nfacilities. I also believe the NRC has made significant strides in improving the protection of SGI\nby NRC employees and licensees over the past several years subsequent to the events of 9/11.\n\nIn addition to the comments above, attached are more detailed comments on the draft report\nfor your consideration. If you would like to discuss our comments, please contact William Dean\nat 415-1703 or Melinda Malloy at 415-1785.\n\nAttachment: As stated\n\n\n\n\n                                               22\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                                                                                            APPENDIX B\n\nComments on OIG Draft Report: Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\nPage i, Background, states that SGI deals with information related to the physical protection of\noperating power reactors, spent fuel shipments, or the physical protection of special nuclear\nmaterial. This description is correct, but incomplete. Section 147 of the Atomic Energy Act\n(AEA) also authorizes the Commission to designate as SGI information related to the physical\nprotection of source material and/or byproduct material in quantities determined by the\nCommission to be significant to the public health and safety or common defense and security.\nThis authority should be noted to correctly reflect the full scope of the Commission\xe2\x80\x99s authority\nunder AEA \xc2\xa7 147.\n\nPage 1, Derivation of Safeguards Information, initially implies that the SGI designation only\napplies to information related to the physical protection of operating power reactors, spent fuel\nshipments, or the physical protection of special nuclear material. Section 147 of the AEA also\nauthorizes the Commission to designate as SGI information related to the physical protection of\nsource material and/or byproduct material in quantities determined by the Commission to be\nsignificant to the public health and safety or common defense and security. Although this is\nnoted in a bullet on the same page, the discussion could be clarified up front.\n\nPage 4, first paragraph: There are important differences between the NRC\xe2\x80\x99s SGI program and\nthe government-wide program to protect classified national security information (NSI). NSI is\nsubject to more burdensome handling, storage, and access authorization requirements.\nRequiring NRC licensees to move away from SGI and toward an NSI security clearance and\nhandling regime would impose substantial burdens during the transition and afterwards as\nprivate sector employees would be required to undergo more rigorous background checks and\ntraining programs to properly receive and handle NSI.\n\nThe criteria for classifying information as NSI are different from the criteria for SGI. Eliminating\nthe SGI designation would potentially leave vital information regarding critical security systems,\nplans, and vulnerabilities unprotected against public disclosure where such information could\nnot be classified under the NSI regime.\n\nPage 5, Definition of Confidential vs. Safeguards Information: The draft report does not justify\nits assumption that the additional cost of protecting confidential NSI would be minor compared\nto the cost of protecting SGI. The NRC would have to adjudicate thousands of additional\nsecurity clearances under an NSI regime and periodically reinvestigate some cleared\nindividuals. NRC would incur additional costs for expanding its infrastructure for performing\nthese tasks. There may also be increased costs to inspect licensees\xe2\x80\x99 conformance with\nregulations for protecting classified information.\n\nSwitching from an SGI regime to an NSI regime would not necessarily result in a wholesale\nelimination of licensees\xe2\x80\x99 current programs for evaluating the trustworthiness of its employees\nbecause not all licensee employees would require NSI security clearances. The cost of\nproviding the more rigorous background checks required for access to NSI would be in addition\nto the cost of existing programs, not in substitution of those costs.\n\n\n                                                 23\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nPage 6, last paragraph: SGI is not a classification system. There may be additional burdens in\nthe protection of SGI if converted to CONFIDENTIAL-National Security Information which are\nnot reflected in the draft report, e.g., use of security container check sheets and security\ncontainer information forms posted on the inside of the locking drawer of the container.\nSecurity education briefings must be established and conducted (e.g., initial security briefing,\nrefresher briefings every 3 years, and termination briefings) and authorized classifiers will need\nto be designated and trained on the requirements of Executive Order (E.O.) 12958, as\namended. The statement that NRC is the only agency that uses the SGI designation,\nincorrectly implies that other agencies can meet their needs with the Official Use Only (OUO)\nand classified designations, with nothing in between. Many other agencies use designations\nsimilar in nature (e.g., DOE uses Unclassified Controlled Nuclear Information (UCNI)).\n\nPage 7, Handling of Safeguards Modified Information: The OUO designation is not a useful\nalternative to the SGI designation. An OUO label does not automatically exempt information\nfrom public disclosure under the Freedom of Information Act, as does the SGI designation.\nMoreover, the OUO designation is not legally binding on NRC licensees. NRC licensees in\npossession of OUO information are under no legal obligation to provide even the most basic\nprotections. Thus, the OUO designation is not a viable alternative to SGI or SGI-M, both of\nwhich attach civil and criminal penalties to unauthorized disclosures and provide a measure of\ndeterrence to unauthorized disclosures.\n\nPage 8: The cost of NRC adjudicating thousands of additional \xe2\x80\x9cL\xe2\x80\x9d clearances and the cost of\nperiodic reinvestigations have not been considered. In the second paragraph, there is no\nmention of the 145(b) provision which will need to be adhered to. Not all employees would\nrequire Government clearances. Therefore, the licensee would still have to conduct the\nemployee evaluation programs for those not requiring clearances, so the licensee could not\nnecessarily entirely forego the fixed costs of maintaining its own employee evaluation program.\n\nIn many cases, the licensee might still have to conduct its own employee evaluation in order to\nbring an employee on site, and have the Government clearance be granted later. In the\ninterim, an employee would not be permitted to access certain classified information that\nformerly had been SGI and which does not require a Government clearance for access. This\ncould pose a significant problem for the licensee and could have significant monetary costs, as\nwell as negative safety and safeguards implications.\n\nShould the NRC take on the responsibility for providing Government clearances for large\nnumbers of licensee personnel, NRC would incur additional costs for expanding its\ninfrastructure for performing these tasks. There may also be increased costs to inspect\nlicensees\xe2\x80\x99 conformance with regulations for protecting classified information. These expenses\nwould likely be charged to the licensees through NRC\xe2\x80\x99s fee recovery process. On balance,\nlicensees could incur significant additional costs, rather than savings.\n\n\n\n\n                                               24\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nWe suggest that Recommendation 1 be rephrased, as follows:\n\n       \xe2\x80\x9c1. Determine whether the benefit of the safeguards information designation is worth\n       the cost of maintaining a separate safeguards program alternatives to the current SGI\n       program, including subsuming SGI under the government-wide program for protecting\n       classified information, could provide more effective and efficient protection against\n       inappropriate release of sensitive information.\xe2\x80\x9d\n\nPage 10, second paragraph: Different interpretation of what is or is not SGI should not be\nconsidered unusual. In classified programs, determining what is classified is not always an\nexact science. Therefore, different interpretations are always being challenged. It is\nreasonable to expect the same to hold for the SGI program.\n\nPage 11, first paragraph: Although the SGI that was given to the Local Law Enforcement\nAgency (LLEA) was not properly marked, the release was not inappropriate because LLEAs are\nauthorized access to SGI in accordance with 10 CFR 73.21.\n\nPage 13, Section C, first paragraph: Items 2 and 3 have nothing to do with a \xe2\x80\x9cCentral\nAuthority\xe2\x80\x9d needed for the oversight of the NRC SGI program. Secure telecommunication\nequipment acquisition and installation is covered under NRC\xe2\x80\x99s classified information program.\nIt should also be noted that while NSIR controls the SGI program as a whole, it still relies on the\nexpertise of the Office of the Chief Information Officer (OCIO) for equipment support, the Office\nof Administration for physical security oversight, and the Regions and program offices for\noversight of licensees handling SGI.\n\nPage 15: Although the equipment may be used to communicate SGI, the purchase of secure\ncommunications equipment for NRC resident offices was not done under the aegis of or to\nsupport the SGI program.\n\nIn the section on Inadequate Training, NSIR has been coordinating training sessions that\ninclude the protection and handling of SGI since September 11, 2001. As of August 2003,\napproximately 90 percent of the agency has been trained on the proper handling requirements\nfor SGI. NSIR has also issued agency announcements, created a cover sheet with handling\nand marking requirements on the reverse side, and created a new marking stamp that is\nconsistent with current SGI requirements.\n\nPage 16, last paragraph: NSIR has always coordinated with OCIO for the installation of ISDN\nlines to operate secure telephone equipment and will continue to do so.\n\nPage 18, Maintenance: COMSEC Custodians are responsible for troubleshooting operational\nproblems with secure equipment, rekeying secure telephones, and changing fuses associated\nwith the equipment from time to time. With respect to maintenance, all equipment is required to\nbe sent to a secure maintenance site when repairs are required.\n\nIn the section on Testing, it should be noted that the staff considers any use of secure\ntelecommunication equipment to qualify as a test. Problems associated with secure\ntelecommunication are frequently the result of operator error. In addition, many secure\n\n\n\n                                                25\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nconnections take several attempts to complete because of the multiplicity of settings possible\nfor each phone and fax. This may even result from the differences in versions of equipment\nbeing used.\n\nPage 19, second paragraph: Failure to be able to open a security container is usually due to\noperator error.\n\nLast paragraph: Secure telecommunications equipment was primarily installed at Reactor\nResident Inspector sites for transmission of classified information, not for SGI. If SGI needs to\nbe sent outside a site on a non-emergency basis, it can be done thru U.S. Mail as has been\npracticed.\n\nPage 20, second paragraph: NSIR has already taken the lead for coordinating and controlling\nthe electronic transmission and processing program for SGI.\n\nLast paragraph: OCIO has already rescinded NUREG/BR-0168, Rev. 2 entitled, \xe2\x80\x9cPolicy for\nProcessing and Handling Unclassified Safeguards Information and Other Sensitive Information\nin the NRC Local-Area/Wide-Area Network Environment,\xe2\x80\x9d to eliminate the processing of SGI on\nthe NRC LAN.\n\nPage 21: The draft report states, \xe2\x80\x9cIn short, SGI should not be processed on any computer that\nis or will be connected to the LAN.\xe2\x80\x9d The report\xe2\x80\x99s corresponding Recommendation 6 (\xe2\x80\x9cRevise\nNRC procedures to eliminate the processing of SGI on the LAN\xe2\x80\x9d) appears to be unnecessarily\nrestrictive.\n\nThe draft report highlights an important fact, i.e., that existing guidance for automated\nprocessing of SGI is not consistent, and in some cases wrong. This may be addressed in other\nways.\n\nWe recommend that Recommendation 6 be changed to read:\n\n       \xe2\x80\x9c6. Revise documentation for NRC procedures to eliminate the processing of SGI on\n       the LAN inconsistencies and ambiguities that could imply SGI can be processed on a\n       personal computer while it is connected to the unclassified NRC LAN, and to ensure that\n       personal computers used for SGI processing while disconnected from the LAN do not\n       employ fixed hard drives.\xe2\x80\x9d\n\nPage 22: The report\xe2\x80\x99s Recommendations 4 and 5 deal with telecommunications equipment for\ntransmitting SGI. Pages 16 through 19 of the report address acquisition, installation,\nmaintenance, and testing of this equipment, detailing numerous problems with testing and\nreliability. On page 16, however, there is a statement about the availability of new equipment\nthat can encrypt conversations through regular telephone lines, without the use of special\nequipment, such as STU-IIIs or STEs, or an ISDN line. The report appeared to encourage a\nswitch to this new technology.\n\n\n\n\n                                               26\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nRecommendations 4 and 5 on page 22 seem to neglect this promising new and available\ntechnology, and focus instead on continuing to commit resources for the less reliable\ntechnology now owned by the NRC. They refer to a separate secure telecommunications\nnetwork that may not be necessary if the new technology is used. Recommendations 4 and 5\nshould be revised to permit or encourage a switch to the new technology, rather than force\nNRC into spending large amounts of money to acquire, install, test, and maintain the current\ntechnology that involves supporting a separate secure telecommunications network.\n\nThe transition to a new secure telecommunications technology may not be instantaneous or\npainless, but the report\xe2\x80\x99s recommendations should not, in effect, restrict us to staying with the\ncurrent technology longer than necessary. We suggest the following revisions to\nRecommendations 4 and 5:\n\n       \xe2\x80\x9c4. Provide adequate resources to ensure the timely installation, maintenance, and\n       troubleshooting of problems with acquire, install, test, and maintain appropriate secure\n       communications technology to effectively and efficiently support the secure\n       telecommunications equipment needs of the NRC, as new technologies become\n       available and affordable.\xe2\x80\x9d\n\n       \xe2\x80\x9c5. Formalize a program for periodic testing and documentation of the currently installed\n       secure telecommunications network systems to ensure continuing functionality for\n       regular use and its readiness for emergency use.\xe2\x80\x9d\n\n\n\n\n                                                27\n\x0c                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              28\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n                                                                                            APPENDIX C\nDETAILED OIG ANALYSIS OF AGENCY COMMENTS\n\nAgency Comments:\n\nPage i, Background, states that SGI deals with information related to the physical protection of\noperating power reactors, spent fuel shipments, or the physical protection of special nuclear\nmaterial. This description is correct, but incomplete. Section 147 of the Atomic Energy Act\n(AEA) also authorizes the Commission to designate as SGI information related to the physical\nprotection of source material and/or byproduct material in quantities determined by the\nCommission to be significant to the public health and safety or common defense and security.\nThis authority should be noted to correctly reflect the full scope of the Commission\xe2\x80\x99s authority\nunder AEA \xc2\xa7 147.\n\n\n OIG Response:\n\n While the agency is correct, the paragraph cited is in the Executive Summary of the report\n which provides a synopsis of the total report. Page 1 of the report provides a fuller\n description of SGI.\n\n\nAgency Comments:\n\nPage 1, Derivation of Safeguards Information, initially implies that the SGI designation only\napplies to information related to the physical protection of operating power reactors, spent fuel\nshipments, or the physical protection of special nuclear material. Section 147 of the AEA also\nauthorizes the Commission to designate as SGI information related to the physical protection of\nsource material and/or byproduct material in quantities determined by the Commission to be\nsignificant to the public health and safety or common defense and security. Although this is\nnoted in a bullet on the same page, the discussion could be clarified up front.\n\n OIG Response:\n\n OIG agrees that the discussion cited in the bullet could be clarified up front, but believes the\n paragraph and bullets accompanying it are accurate and do not need to be changed.\n\n\nAgency Comments:\n\nPage 4, first paragraph (now page 2 of this report): There are important differences between\nthe NRC\xe2\x80\x99s SGI program and the government-wide program to protect classified national\nsecurity information (NSI). NSI is subject to more burdensome handling, storage, and access\n\n\n\n\n                                                29\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nauthorization requirements. Requiring NRC licensees to move away from SGI and toward an\nNSI security clearance and handling regime would impose substantial burdens during the\ntransition and afterwards as private sector employees would be required to undergo more\nrigorous background checks and training programs to properly receive and handle NSI.\n\nThe criteria for classifying information as NSI are different from the criteria for SGI. Eliminating\nthe SGI designation would potentially leave vital information regarding critical security systems,\nplans, and vulnerabilities unprotected against public disclosure where such information could\nnot be classified under the NSI regime.\n\nPage 5, Definition of Confidential vs. Safeguards Information (now page 3 of this report): The\ndraft report does not justify its assumption that the additional cost of protecting confidential NSI\nwould be minor compared to the cost of protecting SGI. The NRC would have to adjudicate\nthousands of additional security clearances under an NSI regime and periodically reinvestigate\nsome cleared individuals. NRC would incur additional costs for expanding its infrastructure for\nperforming these tasks. There may also be increased costs to inspect licensees\xe2\x80\x99 conformance\nwith regulations for protecting classified information.\n\nSwitching from an SGI regime to an NSI regime would not necessarily result in a wholesale\nelimination of licensees\xe2\x80\x99 current programs for evaluating the trustworthiness of its employees\nbecause not all licensee employees would require NSI security clearances. The cost of\nproviding the more rigorous background checks required for access to NSI would be in addition\nto the cost of existing programs, not in substitution of those costs.\n\nPage 6, last paragraph (now page 4, second paragraph of this report): SGI is not a\nclassification system. There may be additional burdens in the protection of SGI if converted to\nCONFIDENTIAL-National Security Information which are not reflected in the draft report, e.g.,\nuse of security container check sheets and security container information forms posted on the\ninside of the locking drawer of the container. Security education briefings must be established\nand conducted (e.g., initial security briefing, refresher briefings every 3 years, and termination\nbriefings) and authorized classifiers will need to be designated and trained on the requirements\nof Executive Order (E.O.) 12958, as amended. The statement that NRC is the only agency that\nuses the SGI designation, incorrectly implies that other agencies can meet their needs with the\nOfficial Use Only (OUO) and classified designations, with nothing in between. Many other\nagencies use designations similar in nature (e.g., DOE uses Unclassified Controlled Nuclear\nInformation (UCNI)).\n\nPage 8 (now page 5, second paragraph of this report): The cost of NRC adjudicating\nthousands of additional \xe2\x80\x9cL\xe2\x80\x9d clearances and the cost of periodic reinvestigations have not been\nconsidered. In the second paragraph, there is no mention of the 145(b) provision which will\nneed to be adhered to. Not all employees would require Government clearances. Therefore,\nthe licensee would still have to conduct the employee evaluation programs for those not\nrequiring clearances, so the licensee could not necessarily entirely forego the fixed costs of\nmaintaining its own employee evaluation program.\n\nIn many cases, the licensee might still have to conduct its own employee evaluation in order to\nbring an employee on site, and have the Government clearance be granted later. In the\ninterim, an employee would not be permitted to access certain classified information that\nformerly had been SGI and which does not require a Government clearance for access. This\n\n                                                 30\n\x0c                                                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\ncould pose a significant problem for the licensee and could have significant monetary costs, as\nwell as negative safety and safeguards implications.\n\nShould the NRC take on the responsibility for providing Government clearances for large\nnumbers of licensee personnel, NRC would incur additional costs for expanding its\ninfrastructure for performing these tasks. There may also be increased costs to inspect\nlicensees\xe2\x80\x99 conformance with regulations for protecting classified information. These expenses\nwould likely be charged to the licensees through NRC\xe2\x80\x99s fee recovery process. On balance,\nlicensees could incur significant additional costs, rather than savings.\n\nWe suggest that Recommendation 1 be rephrased, as follows:\n\n       \xe2\x80\x9c1. Determine whether the benefit of the safeguards information designation is worth\n       the cost of maintaining a separate safeguards program alternatives to the current SGI\n       program, including subsuming SGI under the government-wide program for protecting\n       classified information, could provide more effective and efficient protection against\n       inappropriate release of sensitive information.\xe2\x80\x9d\n\n\n OIG Response:\n\n During the audit, NRC staff was not able to provide any formal justification for the SGI\n designation other than anecdotal accounts of the costs involved to change it or that it has\n been done this way for the last 20 years. NRC should formally document that the legal basis\n for continued use of the SGI designation is justified on its merits alone. Absent that position,\n the primary anecdotal justification provided by NRC staff for maintaining the SGI designation\n was the cost of doing away with the SGI designation in order to go to the confidential\n designation. OIG was provided with this same position during the audit fieldwork, but\n agency staff could not provide any detailed analysis of the difference in cost between the two\n designations. In some cases, licensees with whom OIG spoke were implementing actions in\n protecting SGI which agency staff described as added burdens if the confidential designation\n was required. OIG attempted to perform a cost-benefit analysis for maintaining the SGI\n designation, but the figures provided by agency staff and licensees were inconsistent, wide\n ranging, and non-inclusive for all of the considerations identified by the staff. The point of\n this finding, in light of the events of September 11, 2001, and a subsequent Executive Order\n re-defining confidential information, is whether business as usual is still justified.\n\n OIG made minor modifications to the draft report to clarify some of the other points made by\n the staff. Additionally, OIG reworded the recommendation for this finding to more directly\n articulate OIG\xe2\x80\x99s expectation.\n\n\n\n\n                                               31\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\nAgency Comments:\n\nPage 10, second paragraph (now page 7, first paragraph of this report): Different interpretation\nof what is or is not SGI should not be considered unusual. In classified programs, determining\nwhat is classified is not always an exact science. Therefore, different interpretations are always\nbeing challenged. It is reasonable to expect the same to hold for the SGI program.\n\n\n  OIG Response:\n\n  While OIG understands the staff\xe2\x80\x99s comments, OIG cannot endorse this position to excuse\n  inappropriate releases of SGI. A clearer definition of SGI can only help to prevent\n  inappropriate releases of SGI and limit the number of occasions where different\n  interpretations have influenced such releases.\n\n\nAgency Comments:\n\nPage 11, first paragraph (now page 7, third paragraph of this report): Although the SGI that\nwas given to the Local Law Enforcement Agency (LLEA) was not properly marked, the release\nwas not inappropriate because LLEAs are authorized access to SGI in accordance with 10 CFR\n73.21.\n\n\n OIG Response:\n\n Whether or not LLEAs are authorized access to SGI does not mean they had an appropriate\n \xe2\x80\x9cneed-to-know\xe2\x80\x9d and, therefore, does not negate that the release was inappropriate. The\n release was inappropriate as evidenced by the NRC official requiring that the document in\n question be returned to the agency and because is was not properly marked. Inappropriate\n releases of SGI are not simply determined on the merits of who received the information but\n also on whether they are properly handled and marked to ensure the information does not go\n to individuals other than intended.\n\n\n\n\nAgency Comments:\n\nPage 13, Section C, first paragraph (now page 8 of this report): Items 2 and 3 have nothing to\ndo with a \xe2\x80\x9cCentral Authority\xe2\x80\x9d needed for the oversight of the NRC SGI program. Secure\ntelecommunication equipment acquisition and installation is covered under NRC\xe2\x80\x99s classified\ninformation program. It should also be noted that while NSIR controls the SGI program as a\nwhole, it still relies on the expertise of the Office of the Chief Information Officer (OCIO) for\nequipment support, the Office of Administration for physical security oversight, and the Regions\nand program offices for oversight of licensees handling SGI.\n\nPage 15 (now page 9 of this report): Although the equipment may be used to communicate\nSGI, the purchase of secure communications equipment for NRC resident offices was not done\nunder the aegis of or to support the SGI program.\n                                               32\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n OIG Response:\n\n The report identifies on page 9 that the secure telecommunications equipment was\n acquired and installed to ensure the agency could send classified information to the\n licensees. On page 11, OIG recognizes that an additional benefit of this equipment is using\n it to communicate SGI. Whether or not the equipment was directly acquired for use with\n classified information is not the point. Rather, in the context of this report and the agency\xe2\x80\x99s\n use of the equipment with SGI, issues related to the secure telecommunications equipment\n must be addressed by the agency to ensure it is available for use when needed.\n\n\n\nAgency Comments:\n\nIn the section on Inadequate Training, NSIR has been coordinating training sessions that\ninclude the protection and handling of SGI since September 11, 2001. As of August 2003,\napproximately 90 percent of the agency has been trained on the proper handling requirements\nfor SGI. NSIR has also issued agency announcements, created a cover sheet with handling\nand marking requirements on the reverse side, and created a new marking stamp that is\nconsistent with current SGI requirements.\n\n OIG Response:\n\n OIG recognizes the coordinated training sessions in Section IV, \xe2\x80\x9cManagement Initiatives,\xe2\x80\x9d\n beginning on page 15 of the report. However, OIG\xe2\x80\x99s point is that training has been\n fragmented and, as implied in the agency response through NSIR\xe2\x80\x99s coordinating the training\n session, there is no single point of ownership for the training. Moreover, OIG\xe2\x80\x99s concern is\n that any actions taken to implement the recommendations in the report must be factored into\n any future training. As training in SGI is mandatory, any changes would have to be\n communicated during the required annual training. Moreover, in training the 10 percent of\n the agency staff who have not received instruction in the proper handling requirements for\n SGI, these factors should be considered.\n\n\nAgency Comments:\n\nPage 16, last paragraph (now page 11, second paragraph of this report): NSIR has always\ncoordinated with OCIO for the installation of ISDN lines to operate secure telephone equipment\nand will continue to do so.\n\n\n\n\n                                               33\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n OIG Response:\n\n OIG recognizes OCIO has been involved with coordinating the installation of ISDN lines.\n However, in context with the entire paragraph and the paragraph preceding it, OIG is\n identifying that coordination will have to take place among all responsible offices for future\n telecommunications equipment purchases to ensure the proper equipment is obtained, not\n just the installation of ISDN lines.\n\n\nAgency Comments:\n\nPage 18, Maintenance (now page 12 of this report): COMSEC Custodians are responsible for\ntroubleshooting operational problems with secure equipment, rekeying secure telephones, and\nchanging fuses associated with the equipment from time to time. With respect to maintenance,\nall equipment is required to be sent to a secure maintenance site when repairs are required.\n\n\n\n OIG Response:\n\n OIG clearly identifies that COMSEC Custodians are responsible for troubleshooting\n operational problems with secure equipment and is aware they are responsible for rekeying\n secure telephones. OIG disagrees that they are responsible for changing fuses associated\n with the equipment other than that located in headquarters and the regional offices. The\n inspectors or administrative assistants at the nuclear power plant sites perform that function\n when fuses need replacement. OIG recognizes and agrees that, except for replacing fuses\n and rekeying secure telephones, all equipment is required to be sent to a secure\n maintenance site when repairs are required.\n\n\nAgency Comments:\n\nIn the section on Testing, it should be noted that the staff considers any use of secure\ntelecommunication equipment to qualify as a test. Problems associated with secure\ntelecommunication are frequently the result of operator error. In addition, many secure\nconnections take several attempts to complete because of the multiplicity of settings possible\nfor each phone and fax. This may even result from the differences in versions of equipment\nbeing used.\n\nPage 19, second paragraph (now page 12, last paragraph of this report): Failure to be able to\nopen a security container is usually due to operator error.\n\n\n\n\n                                               34\n\x0c                                                       Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\n OIG Response:\n\n OIG does not accept the premise that any use of secure telecommunications equipment\n qualifies as a test of that equipment. If the equipment fails when it is needed, it has failed in\n use, not during a test. Regular, periodic testing of the equipment would minimize the\n amount of human error associated with failures by building in familiarity with the equipment.\n Moreover, the agency will need to evaluate whether the differences in the versions of\n equipment being used is acceptable for the number of failures that have occurred. As to the\n failure of opening a security container due to operator error, this also can be minimized by\n regular, periodic testing which will require access to the contents of the security container.\n\n\nAgency Comments:\n\nLast paragraph (now page 13, first paragraph): Secure telecommunications equipment was\nprimarily installed at Reactor Resident Inspector sites for transmission of classified information,\nnot for SGI. If SGI needs to be sent outside a site on a non-emergency basis, it can be done\nthru U.S. Mail as has been practiced.\n\n  OIG Response:\n\n  See OIG\xe2\x80\x99s response to the agency\xe2\x80\x99s comments related to page 9.\n\n\nAgency Comments:\n\nPage 20, second paragraph (now page 13 of this report): NSIR has already taken the lead for\ncoordinating and controlling the electronic transmission and processing program for SGI.\n\nLast paragraph: OCIO has already rescinded NUREG/BR-0168, Rev. 2 entitled, \xe2\x80\x9cPolicy for\nProcessing and Handling Unclassified Safeguards Information and Other Sensitive Information\nin the NRC Local-Area/Wide-Area Network Environment,\xe2\x80\x9d to eliminate the processing of SGI on\nthe NRC LAN.\n\nPage 21, (now page 13, last sentence of this report): The draft report states, \xe2\x80\x9cIn short, SGI\nshould not be processed on any computer that is or will be connected to the LAN.\xe2\x80\x9d The report\xe2\x80\x99s\ncorresponding Recommendation 6 (\xe2\x80\x9cRevise NRC procedures to eliminate the processing of SGI\non the LAN\xe2\x80\x9d) appears to be unnecessarily restrictive.\n\nThe draft report highlights an important fact, i.e., that existing guidance for automated\nprocessing of SGI is not consistent, and in some cases wrong. This may be addressed in other\nways.\n\nWe recommend that Recommendation 6 be changed to read:\n\n       \xe2\x80\x9c6. Revise documentation for NRC procedures to eliminate the processing of SGI on\n       the LAN inconsistencies and ambiguities that could imply SGI can be processed on a\n                                             35\n\x0c                                                      Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n       personal computer while it is connected to the unclassified NRC LAN, and to ensure that\n       personal computers used for SGI processing while disconnected from the LAN do not\n       employ fixed hard drives.\xe2\x80\x9d\n\n OIG Response:\n\n OIG submitted its discussion and final draft reports to the agency in early September and late\n October 2003, as applicable, and the agency\xe2\x80\x99s response to the report was received\n December 12, 2003. In the interim, if agency staff have taken actions to address parts of the\n OIG recommended actions, they have not officially notified OIG nor provided any evidence of\n these actions. Moreover, OIG believes that recommendation 6 is appropriate as written.\n\n\n\nAgency Comments:\n\nPage 22, (now page 14 of this report): The report\xe2\x80\x99s Recommendations 4 and 5 deal with\ntelecommunications equipment for transmitting SGI. Pages 16 through 19 of the report\naddress acquisition, installation, maintenance, and testing of this equipment, detailing\nnumerous problems with testing and reliability. On page 16, however, there is a statement\nabout the availability of new equipment that can encrypt conversations through regular\ntelephone lines, without the use of special equipment, such as STU-IIIs or STEs, or an ISDN\nline. The report appeared to encourage a switch to this new technology.\n\nRecommendations 4 and 5 on page 22 seem to neglect this promising new and available\ntechnology, and focus instead on continuing to commit resources for the less reliable\ntechnology now owned by the NRC. They refer to a separate secure telecommunications\nnetwork that may not be necessary if the new technology is used. Recommendations 4 and 5\nshould be revised to permit or encourage a switch to the new technology, rather than force\nNRC into spending large amounts of money to acquire, install, test, and maintain the current\ntechnology that involves supporting a separate secure telecommunications network.\n\nThe transition to a new secure telecommunications technology may not be instantaneous or\npainless, but the report\xe2\x80\x99s recommendations should not, in effect, restrict us to staying with the\ncurrent technology longer than necessary. We suggest the following revisions to\nRecommendations 4 and 5:\n\n       \xe2\x80\x9c4. Provide adequate resources to ensure the timely installation, maintenance, and\n       troubleshooting of problems with acquire, install, test, and maintain appropriate secure\n       communications technology to effectively and efficiently support the secure\n       telecommunications equipment needs of the NRC, as new technologies become\n       available and affordable.\xe2\x80\x9d\n\n       \xe2\x80\x9c5. Formalize a program for periodic testing and documentation of the currently installed\n       secure telecommunications network systems to ensure continuing functionality for\n       regular use and its readiness for emergency use.\xe2\x80\x9d\n\n\n\n\n                                                36\n\x0c                                                     Audit of NRC\xe2\x80\x99s Protection of Safeguards Information\n\n\n\n\nOIG Response:\n\nOn page 11 of the report, OIG cited, as an example, that NSA officials said that new\nequipment is now available that can encrypt conversations through regular telephones. OIG\ndid not corroborate this information or do any audit work to determine the feasibility of its use\nby NRC. As such, the agency would have to consider the application and cost of such\nequipment for future use by the agency. Until such time as the agency replaces the secure\ntelecommunications equipment currently in place, NRC must ensure that the system it\ncurrently employs is properly installed, maintained, troubleshot, and tested. No revisions to\nthe recommendations 4 and 5 are needed.\n\n\n\n\n                                              37\n\x0c"